Cyber Briefing: 2025.07.24

Interlock ransomware alert, WordPress backdoor, GitLab XSS patches, Beluga Vodka attack, France Travail breach, SharePoint exploit, AI fraud risk, XSS forum admin arrest, Google OSS Rebuild.

Jul 24, 2025

👉 What's going on in the cyber world today?

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this? Please Subscribe

Get Help

🚨 Cyber Alerts

1. Interlock Ransomware Threat Alert

The US government has issued an alert regarding Interlock ransomware, which targets organizations through drive-by download attacks and employs a double extortion model by encrypting virtual machines and exfiltrating data. This ransomware, active since September 2024, targets both Windows and Linux systems and has been observed to compromise critical infrastructure, businesses, and other organizations in North America and Europe.

2. Backdoor Found in WP Plugins

A sophisticated WordPress malware campaign has been discovered operating through the rarely monitored mu-plugins directory, giving attackers persistent access to compromised websites while evading traditional security measures. The malicious code, identified as wp-index.php, exploits WordPress’s “must-use plugins” functionality to maintain continuous operation without the possibility of deactivation through the admin panel..

3. GitLab Patches Key Vulnerabilities

GitLab has released urgent security patches for its Community and Enterprise Editions to address multiple vulnerabilities, including two high-severity cross-site scripting (XSS) issues affecting Kubernetes proxy functionality. All self-managed GitLab installations are strongly advised to upgrade immediately to mitigate these significant security risks.

For more alerts, click here!

Check Jobs

💥 Cyber Incidents

Beluga Vodka Ransomware Attack Reported

Beluga, a Russian premium vodka producer owned by NovaBev Group, experienced a sophisticated ransomware attack on July 14, 2025, that severely disrupted its IT infrastructure and operational capabilities. The company has refused to negotiate with the cybercriminals, instead engaging external cybersecurity experts to aid in recovery and forensic analysis, with preliminary findings suggesting no customer personal data was compromised.

5. Data Breach Affects 340K Jobseekers

France Travail, the French employment agency, recently experienced a data breach exposing the personal information of 340,000 jobseekers, including names, addresses, phone numbers, and jobseeker statuses. This incident, caused by an infostealer malware compromising a partner's account, marks the second data breach for the agency in two years.

6. Hackers Use Ransomware on SharePoint Servers

Microsoft has reported that Chinese "threat actors," including state-sponsored hackers, have exploited vulnerabilities in its on-premises SharePoint servers, leading to breaches in hundreds of government agencies and organizations, primarily in the US. The company has released security updates and urged users to install them to prevent further attacks by the identified hacking groups.

For more incidents, click here!

Click to Read

📢 Cyber News

7. Altman Flags Looming AI Fraud Crisis

OpenAI CEO Sam Altman warns of a potential "fraud crisis" due to AI's ability to impersonate individuals, particularly highlighting the vulnerability of voice authentication in financial institutions. These concerns were raised during a Federal Reserve interview, where Altman also discussed AI's economic impact and OpenAI's increasing presence in Washington D.C. to engage with policymakers.

8. XSS Forum Admin Arrested in Kyiv

Europol, in collaboration with French and Ukrainian authorities, has announced the arrest of the suspected administrator of XSS.is (formerly DaMaGeLaB), a major Russian-speaking cybercrime forum. The arrest, which took place in Kyiv on July 22, 2025, follows a 2021 investigation and has also led to the seizure of the XSS.is clearnet domain.

9. Google OSS Rebuild Exposes Malicious Code

Google has launched OSS Rebuild, a new initiative designed to enhance the security of open-source package ecosystems and prevent software supply chain attacks. This project aims to provide verifiable build information for packages across major registries, helping users confirm a package's origin and detect tampering.

For more news, click here!

Check Events

📈Cyber Stocks

Cybersecurity stocks exhibited mixed performance on Thursday, July 24, 2025, as traders balanced valuation pressures, policy cues, and earnings momentum.

Okta (OKTA) was flat at $95.63, as mixed Q1 commentary and institutional activity, including a $4.7 million position opened by Louisiana State Employees’ Retirement System, offset broader market volatility.
Radware (RDWR) dipped 0.83% to $28.80, under slight pressure due to a lack of immediate catalysts and general softness in the cybersecurity sector.
CrowdStrike (CRWD) declined 2.11% to $461.52, affected by ongoing investor rotation out of high-valuation tech stocks amid macroeconomic uncertainty.
Palo Alto Networks (PANW) rose 1.26% to $199.22, supported by strong positioning in the federal cybersecurity space and optimistic analyst sentiment ahead of earnings.
Fortinet (FTNT) increased 0.27% to $105.06, bolstered by a high Relative Strength Rating and expectations of a breakout following its strong Q2 performance.

💡 Cyber Tip

Hidden WordPress Backdoors Use Must-Use Plugins to Evade Detection

Security researchers have uncovered a stealthy malware campaign targeting WordPress sites through the rarely monitored mu-plugins directory. Attackers deploy a persistent backdoor using a file called wp-index.php, which cannot be disabled via the admin panel. The malware uses obfuscation, hidden admin users, and database-stored payloads to maintain control over compromised sites while avoiding traditional file-based detection methods.

✅ What you should do:

Regularly inspect the mu-plugins directory for unfamiliar files or scripts.
Monitor your WordPress database for unusual entries in the options table, especially hidden payloads.
Audit all admin accounts to detect unauthorized users like “officialwp.”
Use security plugins that include database scanning and behavior-based anomaly detection.
Keep your WordPress core, themes, and plugins updated and backed up.

🔒 Why this matters:

This malware avoids standard detection by hiding in places most tools don’t check. Its use of persistent, database-based payloads and concealed admin users allows attackers to maintain full control of your site. Proactive monitoring of both filesystem and database activity is essential for WordPress security.